FWIW, I handle my user interactions like this: there's a 'normal' pyramid beaker session on http sessions used to maintain login state and display data. ( request.session )
there's a secondary https only session , provided by a quick library i put together ( request.session_https ) pyramid_subscribers_beaker_https_session the https session records, on the server side, details about the login ( the time; the source [by form, by auto-login, by facebook], etc ) different site functions require different login credentials. for example, updating account info requires a "Form" login refresh of 5 minutes. anything in "/account" is on https. all ajax requests that deal with user data or "write" requests, are piped through to the https server via a "porthole". https still uses it's own csrf too. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/d/optout.
